From 033ab5b6488250c8c3b838f25a7cbc3e099230bb Mon Sep 17 00:00:00 2001
From: Michael Zillgith <michael.zillgith@mz-automation.de>
Date: Wed, 12 Aug 2020 07:25:37 +0200
Subject: [PATCH] - COTP: fixed possible heap buffer overflow when handling
 message with invalid (zero) value in length field (#250)

[Retrieved from:
https://github.com/mz-automation/libiec61850/commit/033ab5b6488250c8c3b838f25a7cbc3e099230bb]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 src/mms/iso_cotp/cotp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/mms/iso_cotp/cotp.c b/src/mms/iso_cotp/cotp.c
index cbb34b36..8c37d262 100644
--- a/src/mms/iso_cotp/cotp.c
+++ b/src/mms/iso_cotp/cotp.c
@@ -720,6 +720,9 @@ CotpConnection_readToTpktBuffer(CotpConnection* self)
             goto exit_waiting;
     }
 
+    if (self->packetSize <= bufPos)
+        goto exit_error;
+
     readBytes = readFromSocket(self, buffer + bufPos, self->packetSize - bufPos);
 
     if (readBytes < 0)
